nitb: Fix IMSI/IMEI buffer handling (Coverity)

Currently the handling of the buffers is not done consistently. Some
code assumes that the whole buffer may be used to store the string
while at other places, the last buffer byte is left untouched in the
assumption that it contains a terminating NUL-character. The latter
is the correct behaviour.

This commit changes to code to not touch the last byte in the buffers
and to rely on the last byte being NUL. So the maximum IMSI/IMEI
length is GSM_IMSI_LENGTH-1/GSM_IMEI_LENGTH-1.

For information: We assume that we allocate the structure with
talloc_zero. This means we have NULed the entire imsi array and then
only write sizeof - 1 characters to it. So the last byte remains NUL.

Fixes: Coverity CID 1206568, 1206567
Sponsored-by: On-Waves ehf

1 files changed, 2 insertions, 2 deletions

diff --git a/openbsc/src/libmsc/db.c b/openbsc/src/libmsc/db.c
index bdecbb436..428f99bbc 100644
--- a/openbsc/src/libmsc/db.c
+++ b/openbsc/src/libmsc/db.c
@@ -565,7 +565,7 @@ static int get_equipment_by_subscr(struct gsm_subscriber *subscr)
 
 	string = dbi_result_get_string(result, "imei");
 	if (string)
-		strncpy(equip->imei, string, sizeof(equip->imei));
+		strncpy(equip->imei, string, sizeof(equip->imei)-1);
 
 	string = dbi_result_get_string(result, "classmark1");
 	if (string) {
@@ -802,7 +802,7 @@ static void db_set_from_query(struct gsm_subscriber *subscr, dbi_conn result)
 	const char *string;
 	string = dbi_result_get_string(result, "imsi");
 	if (string)
-		strncpy(subscr->imsi, string, GSM_IMSI_LENGTH);
+		strncpy(subscr->imsi, string, GSM_IMSI_LENGTH-1);
 
 	string = dbi_result_get_string(result, "tmsi");
 	if (string)